Skip to main content

tv   Atlantic Council Discussion on Cybersecurity  CSPAN  August 3, 2017 4:57am-6:30am EDT

4:57 am
4:58 am
close as possible as assured is for you. i am very happy to see so many people in the room i am the deputy director here at the event the council have this is housed within the scowcroft center for international security also
4:59 am
those falling on the web cast i encourage you to join the conversation so we hope this will provide a layer for policy makers to understand the significance and response options coming from those that took place that is defcon and blackcap. when very pleased to be joined and first call we have chris thomas.
5:00 am
and with those new shows. and allegis love -- lucinda director for the cybersecurity caucus and those that joined us last week. and then we have a professional staff member from the house energy commerce committee focusing on cybersecurity legislation last leave the moderator for today's event is a free-lance writer was security and technology policy. and then that focuses on the big picture i very much look forward to having a discussion with the short presentation with some of
5:01 am
that excitement and intensity i call that 40 flies in in 60 seconds. you could try it by might hit it but i might not. wonder woman. panels. congress on panels. 2,000 hackers. built a village. held a balanced diet. serious conversation. tinfoil hats. black badges. twenty-four kerry gold, platinum rings, 25,000 hackers in a hallway. issues, cars and trucks and medical devices like this one from the 1870's.
5:02 am
we had all those voting computers we would sign of the things. we did something historic we'll do it again next year. that was a challenge. spare that was from a facebook live it the of floating village and now we will get started with the panel.
5:03 am
[inaudible] [inaudible]
5:04 am
5:05 am
5:06 am
[inaudible] now we would like to invite the panel to come up. >> thanks laura green to be part of this panel. first to have three
5:07 am
conferences also black cat so could you explain the differences could they are geared towards. >> but it started 25 years ago with the death:and then it went to hang out and see each other in person but then 21 years ago then the vendor sponsored the event that has a lot of trading as well as a vendor area but it is very commercial selling their wares but then the
5:08 am
last one grew out of talks that were rejected people thought there were still really good house so they created a third conference and that has grown into that hacker centric conference and a lot of do people go there. >> the idea is the b side of the record. but i refer to that as the hacker family reunion because a lot of those people took them to black hat evidence about going to be side. but it is hard to run into
5:09 am
anybody they you know, with any regularity at defcon although black hats is very vendor focused so people go there chiru look for their next job. but that's beside the entire tract is dedicated to helping people find their first job. >> what was everyone's role role?. >> i have been the attendee but then i ducked in and out of teeeighteen right before i went to the airport because four or five days in vegas was enough for me but what are you doing those eight days?.
5:10 am
>> i had a talk with other feds from defcon. it is one of those evening lounges. to be very interactive and give them a chance also my boss was that defcon as well. to spend some time with the congressmen so i got to tagalong that was my first experience and would love to go again. >> but for black hat i work for ibm so i had to do some
5:11 am
time in the booth there were readings with other companies that everybody is out one location at one time it is a perfect time to meet other companies or do interviews. so i could sneak away a little bit on that siepi committee on the way that would be presented on the conference. >> so i help those rollo's paper submissions. and then had i eight had to get back to black cat but then i visited neck.
5:12 am
and then visiting those different villages. >> we were clear what we were working space for those that would bridge the gap between that have a policy world so we try to do every can to demonstrate that i was not as a black cat or defcon with a loss of the
5:13 am
eye on the calvary and we had a mock congressional hearing and that was spun. and then to empathize with one another. also a rangy and for them to come out to defcon with a one day crash course or find your hacker spirited animal. and then try to find that personality fit. and then with those interactive exhibits and did a talk:70 -- saturday night called do no harm.
5:14 am
it was supposed to hold 40 and we had 100 people in line. and then a line out the door. and to help put together in conjunction with the bile hacking village vendettas for those who put on the defcon conference. >> i spent a lot of quality time. >> sova speaking of these villages and with those
5:15 am
common ground with the social engineering village so can you describe what goes on??. >> so they actually had a couple vehicles in place or with those voting machine villages that people could experiment with also of the icy as village also of the asylum for kids to learn. ted is a wide variety of different activities people can experiment with the or
5:16 am
play with and then get hands-on experience it is all encompassing. >> where most conferences you will see there are 12415 tracks over those eight days that run parallel with each other and it was but it is still the ones with a go because most of the time is spent at the villages or talking with their friends were going to parties that is the all encompassing set of defense for those takeover types also with
5:17 am
black cat and the hacker community. so you will have lots of people who spend all weekend that try to capture the flag and penetration testing and all of those. that is for the crypto and privacy village to go exploring or social engineering. that is the idea to talking way out of any information out of anyone. >> that's right as a journalist you are. [laughter] but the focus is educational awareness and this year more
5:18 am
than ever we tried with that content to make a building policy skills and public policy issues that allow the hackers to become more sickly minded that everyone them to participate that is more not quite hostility, but now things have changed. >> so going back to the evolving relationships what else was different about defcon? so would run up
5:19 am
those congressional staff members? the las vegas is a crazy place. >> for one thing that was different is that there was congressman there but then on that main track to the best of our knowledge it has not happened before but in terms of what was different from i have spoken in the washington d.c. conference a couple of times and tried to use that as a big new - - day then you have an understanding people interested that they have a seat at the table and we have a lot to learn from the
5:20 am
hackers so of course, they may have that predilection that is known for spot the fed game but i caving in expecting of little bit of resistance i didn't want to be an ambassador but every single point - - person i made a point to say i am from congress and i need your help. i expected to get neutral or negative reactions but a lot of people were surprised to see me there. [laughter] but also very interested like they wanted the al let to try to make sure that the
5:21 am
voice of the hacking community was heard and they were very receptive to new the fact i would cover amount into the heat to talk to them. by very much appreciated that myself that there was no barrier and i was will come right away have my first defcon. >> there are relations between the government and it is a good thing we're seeing a lot more of reach and to contact those elected officials. but then that illustrates the point because it was a
5:22 am
gaggle of people just walking around. and the people i knew would say what is going on? and it was interesting to see their reaction and it was weighed more positive than i was expecting. that is a big surprise how engaged people want to be and we realized a final step forward then things will be done and want to make sure we have that input. >> i have a say maritime so
5:23 am
if they say have gore hacker i replace it with researcher researcher. [laughter] maybe people prefer though word hacker but but i would echo everything and i think it is amazing how excepted we were. and they found out rivals from and they thought it was so cool but what i found surprising and this shows that bubble inside the beltway and you have to get out but from my perspective
5:24 am
but i'm thinking you're already involved because we are here seeking your and put. but you'd go need to be part of any special group and agreed to talk to somebody who knows perform you can e-mail me directly were connect the main space.
5:25 am
i would love to talk to. >> in the past i have some everyday that joined in thank you. [laughter] >> you mentioned the calvary. >> so the calgary had its own track?. >> so the global grass-roots initiative started off exactly almost four years ago. it is something i have been heavily involved with because we found we wanted that pc platform and we had
5:26 am
to attract a third year at the track and that is pretty amazing so this year so one of the things as a price to recover by deals that the hackers and security researchers were actively engaging them but when we talk about that so go tell your boss. so we've laid the groundwork to take care of anything.
5:27 am
we have people living room to make sure things went pretty smoothly. we actually had trouble leaving the areas because so many people wanted to ask positive questions but it was a huge relief in my mind but also shows through the researcher community and i think it actually grew more than that. so they have family is there not as technical for days at home is too many. so we're replacing but a lot
5:28 am
of those have page out of the community that this could be the second or fourth year but the keynote speaker. there was a ted talk and when she got off stage people were really positive and she realized we have permission to engage giving of ourselves but giving it ourselves individual permission. so this year was impressive to help of what some of the people and with those other
5:29 am
public policy. >> a far cry from not that many years ago. >> that was for reasons he will not talk about. >> so part of the reason is about trust across the technology ecosystem that is critical and every fall fame. how has stressed between the research community so how have these relationships. >> that is a tough question.
5:30 am
and then review the we had to be the adults in the room with a secret research communities when that happens we also saw a great cyberpolicy. so what i realized is if we don't engage proactively other people will fill the of poland.
5:31 am
>> we had to step up and become ambassadors for people like neck and jessica of the other side with a firm trust even if it is just very some of those initiatives have gone through congress. >> these have all been passed. >> so there have been know lots of law makers from the side and what we're starting to see is the trust level as
5:32 am
evidenced by those fed panel's from defcon. move but having standing room only. so we see a greater interest than trust level despite the historical baggage. >> one reason is fear like but if i want to talk to the
5:33 am
proposal to know what i am talking about but those then are organizing cars or whatever or take your pick. that is the positive policy ago comes coming from one and convinced the with those disclosure programs for their research pity has so much to offer as. we need their help the we
5:34 am
need to explain congress said tuesday the doors open. we want to hear about it. right to or wrong and if there are challenges then we definitely want to hear and those that would give us the yearlong fellowship and those that had a computer science background. but actually. >> two of them are right here. [laughter] >> but actually now there are more members of congress and all the of 400 something? so it is a
5:35 am
higher density of the same background and staffers so when they work through to form these positions that is not enough. i don't always agree with the things he says. by usually guided is no longer have double. they have to have more than just a staffer of a part-time job purpose of that is absolutely accurate to drive more technical literacy in to public policy >> i have someone with me completely non related background it was about one
5:36 am
year ago when i was watching this panel on line. so let's talk about that that is required between after that talk it almost turned into one week of what i call a normal.
5:37 am
. . i think that it's a skill we
5:38 am
certainly have a whack -- lack of. we would rather spend time with these machines which are logical and simple if we can figure out how they work. we have to build those soft skills and find teammates who are already in the location we want to be and we have to team up with them to go int into forn lands unexplored, learn the language, deal with hostile natives on each side to tell the tales and then establish the trust and trading relationships back and forth, learn the language and write a translation but for the communities and help build that out.
5:39 am
i think that is the only way that a lot of this work has paid off. >> next, what have you as the bridge on the committee how have you approached this translation issue? >> i think what i realized very early on was i didn't need to be a technical expert and they didn'that theydidn't need to bey expert because we could essentially meet in the middle. they could give the technical reality is this is what it will permit and will not and from there i could combine that with the realities and policy goals and objectives and then between however many of us were there we get a bigger rise out of the
5:40 am
solution so that was the biggest part just accepting i don't need to be the technical expert in the room. i know what you're saying because i have a technical background but we are way past. it doesn't matter you tell me this and i believe you and then having that person on the other end of the conversation say i don't understand why you can't just pass a law that does this or regulate everything ever in the world. but you're telling me you can't and i believe you. >> you mentioned the background, and i think at least in my experience you need people with as many different backgrounds as you can imagine to be in cybersecurity writ large. it can't just be technical people or policy people you need more years, psychologists, economists, lots of folks.
5:41 am
th we are not spreading them around very much but folks are concentrated in the companies and the hills. i go back to the university science classes and say come work on the hill we would love to have you. i think the flip is also true. tech in general would be wise to invest in policy people. that would help a lost to help bridge the divide in terms of where you're coming from and i think also you can see that in terms of research. it would be great to see more
5:42 am
behavioral but a lot of it tends to focus if you are looking at cybersecurity as a policy challenge, it's absolutely a big part of it. there's a lot of other interesting aspects that deserve exploring as well. >> i need to jump on that because this is an important part of a lot of the conversations. i don't know who came up with it but he can't pass the human element so credit is due whoever said that first. but i think sometimes when you get really technical people, their solution is just have five forms of authentication before you log into your e-mail, you need a retsina scan, like my
5:43 am
grandmother isn't going to do that and this is part of the world policy people in the technical world to say your first primary threat model needs to be somebody's grandmother and then kind of go from there. i can relate. i joked when you have technology to people that joke that's why when we are looking at things like access management, the next idea is i know, let's have longer more complicated passwords. humans don't work like that. >> >> a lot of times they are seen as the people who say no but we need to be the people that say yes and part of the problem is we haven't designed the system for people in mind and it's something hopefully the industry is working towards that we need to enable this for people to get their job done and adding these
5:44 am
forms of authentication before you can log in. >> this is something we could talk about forever and i totally think we should have another cyber wednesday on this. this is my personal area of passion but we are coming up on time and i want to make sure that we hit the last and arguably the most important question which is how can the two communities continue to work together more in the future and what should each community know about the other ordering their interactions? >> one thing is terminology. you constantly replace the word hacker with security research
5:45 am
and i encourage you because a lot of people see the word hacker and think criminal, like the first thing that comes to mind is bad people whereas actual hackers use the word as a badge of honor as somebody that likes to explore and find problems and get them fixed as opposed to somebody that just tries to back into stuff -- break into stuff. here in dc we hear cyber. outside of dc, we don't like that word so much. we try to stay away from it. so language is a big issue is i try to stay away from word that can have different meanings to different people. >> i know a lot of people have taken up this word but also the linguist in me has this total digital safety for cybersecurity.
5:46 am
>> we don't have to use words that have different meanings to different people. >> this is my contribution to this question is recognized there are certain realities to each group situation that you are not going to change. so unfortunately i have to contradict both of the point just made. when i was writing one of my first reports for congress i refused to use the word cybersecurity. i replaced it with information security and i wouldn't let it go. that's no longer the case. i will put out there that in my opinion for cybersecurity nomenclature battle has been lost. it is cybersecurity and it will be cybersecurity. it's been shortened to cyber. people are going to say it and my advice if you would like to work in the policy world is get used to it.
5:47 am
i don't think it's going anywhere but to make a macro point off of that and tie into the point i've made before about sometimes i think we have folks in the community that talk to a slick this is such an obvious solution we have to do it, why aren't you doing it and it's not satisfying to say there are laws and regulations of the reason we can't pass the regulation of these things so i think understand those realities and barriers on each side and why they exist are important, so the mvps of the somebody was mentioning. >> what the two sides learn from each other is the same thing, which is security researchers should look at congress and realized when congress is in your space they are doing it with the best of intentions and i think congress should look at the research community and say
5:48 am
with a few outliers, and i think the same is true for the security research community. you should look out and say as my boss was seen on the video, they are looking for things that are broken so that they can be fixed. they are not looking for things that are broken so they can do anything particularly malicious that anything would say this is broken let's get it fixed and i think that this misconception of congress is out to get us or security researchers that are doing horrible things is if there's things i can get both sides to learn about the other that would be it and then back ties back into building trust. there is more than one analogy about trust this is a leap of faith you're not just going to get there by in order to build
5:49 am
trust you have to be willing to be the person to step out there and say i am taking a risk and we are trying to do that with the security research committee to say we want to get your input. we trust you all are not going to burden us by giving something that gets our bosses names in the headline. >> that is probably the word that would be used so that is what we are trying to do and in terms of connecting with congress being willing to take that leap of faith and say there are members and staff that are willing to work with you is important. >> one of the things i've seen including some of those here in the policy world is curiosity,
5:50 am
desire to learn how things work in a different world and a different space, willingness to put up with some of our character defects or the features ... where we are that may not work in other contact ct and to sit down and listen and engage and that is one of the things is most of us started out we wanted to figure out how everything works taking apart the rubik's cube or the radio or everything else and then i figure those things out, we gained a deeper knowledge and understanding that we used to be able to manipulate those things in surprising and interesting ways that have security consequences to them. just recently yesterday we got word that there was a bill introduced in the senate which in the press release they
5:51 am
credited the patient with the atlantic council like myself and josh into some of the folks at harvard with jonathan and bruce consulting with them to make a great bill. looking at that end of the press surrounding it, there were very few security researchers are hackers complaining. there were lots of positive stories about this particular piece of legislation, and i think that is a testament to what can happen when the two sides work together. i don't know whether that bill is going to get past. i hope a lot of the elements are maintained and are upheld not just in that bill but also a lot of the other posters to word cybersecurity in the federal government. but i think it is a great existence proof that working
5:52 am
together we can be safer and sooner. >> i think that is a great rap. we are going to open up for questions. for those of us in the room you can obviously raise your hand. you can also message on twitter and for all of you online you can go to arial at work. we have like four panels right now, so hopefully i will catch you all. >> what are the top three things you saw [inaudible] >> i will repeat the question. >> what are the top three things you so technically that you said we may need to either make a new mall or modify an existing law
5:53 am
to address the situation? >> they don't know if i saw anything that would require a new or modified wall. there were a lot that made me stand up and say wow this is more important than i thought it would be. voting machines are one of those examples. i was surprised how much interest there was in that. the car hacking village there was a lot of stuff i wasn't expecting. i don't know if any of those things require new malls or modifications but they definitely were interesting and exciting for me to see. >> one of the things we've been talking about for a while on the hill and other places is the digital millennia copyright act which makes security research illegal in a lot of cases if you were doing something like reverse engineering. just recently a couple of years ago there was an exception for security research on medical devices and voting computers. it's very odd. you have to apply through the
5:54 am
library of congress to get an exemption for certain devices into that exemption only lasts for a short amount time. so thankfully that's one of the reasons we were able to go to devcon this year. medical devices in cars without heather delay on it. there's been some conversation about how do we loosen up walls so that people doing security research and working in good faith don't accidentally get caught in the same wall that is used to stop movie pirating. there's also been talk about potentially loosening up a few of the computer fraud and abuse act was written in the 80s and there is a large number of sections that can be very
5:55 am
narrowly applied today that is outside of the original, so there are a lot that need to be changed and updated. i don't know if there are any specifics that would prompt me to say now is the change. >> let's go over here. >> is it like hackers without borders or do they notice which one's others are carrying? >> i would say it's more like hackers without borders. it's very much traditionally done in meritocracy and it's more about what you know then where you're from or who you are and that's startin it's startine and more of the case as we get to the future. i won't go down this route is becoming less and less of an issue. i would say as compared with a lot of other places i like that
5:56 am
analogy. it is a couple of organization that go to other countries and stuff like that. but i also think there's a lot of diversity in the background perspective gender identity, a lot of other things in the community that are i haven't found anywhere else i've gone particularly in education. i know lots of people who dropped out of high school where some owhowere some of the best , security researchers i know who worked for fortune 100 companies in very prominent roles. there's not quite an inverse relationship between education. but i think that is part of our strength and i think that preserving and enhancing and improving that is really good to
5:57 am
your point. anybody can walk up to anybody else and have a very high fidelity conversation which is part of the reason i think none were afraid to walk up to congress people and say what are you thinking of this or why does this matter, so i think that it's great to have that. >> you can sort of see that play out in the policy going back which the biggest policy concern was putting controls in the way of the vulnerability research defeat security in the united states abroad in the entire ecosystem and the recognition that it's not just the united states issue, security research is one of the primary factors that drove the policy change to say look we need to be examined
5:58 am
this issue and make sure vulnerability reporting isn't something that we need a license to do. >> i know speaking for myself as someone who came from a very different background in an outside place, the openness of the hacker community i start my talk this way, i've cold called people in special operations no problem. i was more to terrified then calling special operations but when i got there, shout outs to wendy who is here today and also is the reason i'm in this community at all. when i got there with her, everyone was so nice. and shortly after this event last year she encouraged me to reach out to jeff moss to ask
5:59 am
him some of these very same questions and he and i had a two-hour conversation about it. we have a question on twitter. i think morale and trust is low with respect to policies. any thoughts on the reform and can you remind us what the csa stands for? computer fraud and abuse act. it hasn't been updated much since then. it basically makes a crime out othe crime outof just about eve. and it has been used as a sledgehammer by some attorney general's to prosecute what i consider to be low-level and they came to the forefront in the case against swedis -- schw.
6:00 am
both of those are tragic cases. >> have there been any efforts to modify. >> any thoughts on reform. >> i don't know if there are any current efforts under way. >> can any folks speak to that? >> i can speak to what the department of justice is doing. i was on a panel with the attorney from the department of justice, and i'm here praising what he said so i hope i get it right. the department of justice is very reasonably as in last week released new model vulnerability disclosure guidelines for federal agencies that they can use that basically try to clarify what kind of research would be acceptable or that
6:01 am
departments and agencies could put out and say here's something you can do that you don't have to worry the department of justice has worked with the memorandum of understanding that we are not going to come after you for doing this research on the federal side. in terms of a in the world at large, one of the staff, two things, one positive step but justice has taken is to require the review to try to make sure that all of the 94 different offices have similar policies for prosecuting the computer fraud and abuse act cases and just itself reviewed cases that have been brought under the cf. aa and based on their review and feedback they got from security researchers in the last ten years, we need is the case where
6:02 am
justices are like you got that wrong. if it was purely security research and probably shouldn't have been prosecuted as it was. beyond that though, the computer fraud and abuse act does also allow for civil rights and so companies can say he can get such great images because a security researcher has violated that is obviously not contained in the scope of what the justices are reviewing so it is important to recognize the department of justice is taking steps to try to address some of the ambiguity in the security research community. >> the other thing that's important there is not just looking at the doj but when you
6:03 am
look at the federal agencies, we spoke to the -- some of them have come out in support and have been very clear in communicating the expect you to have a coordinated disclosure program and expect it to work constructively with researchers said that something important to keep in mind for the federal government not necessarily related to the reform going after her into trying to make this the norm. >> security researchers have been involved in making these efforts have been. i've had several meetings on the hill myself. >> in that sense there is a lot of moving forward on the
6:04 am
security research aside. whether that's not necessarily for security research but modifying. there was a story about john deere having to go back to the manufacturer to make a change when it could have been hacked. >> that is a very interesting question. we would need a bigger boat. the question there is too you want to be able to allow people to repair very complex machinery where there is a high degree of likelihood they might get something wrong or do you want to lock people out so they have to go through only authorized
6:05 am
repair centers and essentially established some sort of monopoly for repairing whatever and that is an issue you've got two important issues that are in some tension as they are defined right now. but i think that it would take getting the right people in the right room willing to be serious and antiseptic and move forward together. >> there's also questions of the viability. by the way, shameless plug these are the questions we talk about on my podcast. i look forward to having you all on there as well. yes sir. >> i've been doing for years now and it's good to see you guys. i couldn't go this year.
6:06 am
i would be interested in working on policy and in helping. i don't want to have to quit my day job to do that unless you couldn't pay me enough. >> i am a freelancer. [laughter] >> but there is the honor of making the world a safer place and that is what i get to do at my day job. since i came to this corporate education, i actually know how to translate from tech to english so i wonder if you or anybody can give me some guidance on how i can get more involved to make the world a better place. even my license plate is white hat. >> start coming to more events like these, go to the local guides. tickets open soon, check out local meet ups. one of the things that is so great about the community is a one of the many definitions of hacking is how to make things
6:07 am
work in ways people might not expect, nontraditional ways. there's all sorts of official and unofficial ways to get involved. again i wasn't in this world at all 18 months ago. >> at the congressional hearing needed in las vegas a couple people asked us to write questions and we basically went on a 30 minute conversation on how to get involved whether you were in dc or even for folks who are not and don't plan to come to dc anytime soon. that was really instructional. one of the things i took away is the weight of things that can be done in the district. going to talk to the district staff for the congressional representatives or even the local representatives. so much happens at the state level. the district folks are really
6:08 am
seeking people who know what they are talking about in some of these issues there is not an established body of work that comes together like the american bar association and others so no matter where you are you have someone that you hear and you can tap into them to just go in to be your friend. >> or find a grassroots organization with the center for democracy or any of the other organizations that are involved. >> there are numerous opportunities to engage with the federal bureaucracy, the executive branch of government. you mentioned cybersecurity, education, the national
6:09 am
initiative that has been out right now that this has if you know something about cybersecurity education, we want to hear from you so we have a better understanding of the lady of the land and what should we be focusing on as we go forward. the national telecommunications and information administration ran a very successful multi-stakeholder process completely open on vulnerability disclosures. they are running one now on internet of things, patching and awareness we have another
6:10 am
question in front. >> i worked at a company providing crowd based protecti protection. i didn't get to go with my colleagues did and i'm glad this panel is happening. i haven't heard much mentioning of the cloud and i was curious how we could use this to protect against some of the problems. we spent most of our lives in the cloud and on facebook and
6:11 am
the like. >> it seems like another technology that was used these days. what's the phrase, the cloud is just someone else's computer. >> there were a number of talks and lots of vendors who were all there to fill up all of your needs. i have an article coming but looking at the language every vendor can solve all of your problems is a huge problem and i
6:12 am
think we've seen the same with the cloud. it went to almost 200 in the first two quarters. this is something my committee is focused on there are a lot of companies and organizations to
6:13 am
adopt latest greatest thing that present the biggest security risk. it's been interesting for us to say that's great but we stopped at solve the problem from three decades ago. we need to build more security design level because it is possible for an aftermath aftermarket solution but it's never going to be as cheap as something.
6:14 am
>> you're talking about those that are 20 or 30-years-old but now we have these devices we are building which we are not putting security and then. >> [inaudible] the work closely together. >> i know you were raising your hand for a little while in the middle here. >> my question is about your reaction to the issue after the election.
6:15 am
>> we also have a couple questions on twitter about some of the results from the voting village, so maybe if you could give a couple, i don't want to get stuck on that because -- >> it was pretty eye-opening. i'm kind of surprised that it was so eye-opening because it's been an issue for the last 20 years. this isn't anything new we didn't know about before. we knew that the machines had been fairly wide open if you will, very easy to compromise. so i'm glad to see that focus on the voting machines. whether there was any issue i can't speak directly to that. >> a lot of times what we hear is no one can hack that. no one wanted and in this case the flip that.
6:16 am
a lot of th research has been de if you go to princeton as a computer running pac-man. the security research committee has known for a long time that voting computers are having a lot of security issues with them and the threat model has usually been to keep those things disconnected from the internet which makes it much harder. if we get the panel last october on hacking the system and the process what we found is kind of what the government has said they are spread out and diffuse that it would take a high number of resources to do anything like that. but we are starting to see indicators that certainly a lot of people are paying attention in the public eye to some of the
6:17 am
potential attempts. i think there were 26 or 30 devices all of them were hacked. only one of them was actually remotely. most of them had to be taken apart, something plugged into my physical access to the device which is some comfort with small comfort. >> i feel like someone would notice. >> they are very closely monitored, especially organizations like the associated press. widespread, something like that something would be noticed. at the local level i'm not so sure if something would stick out so much that on a national level there are so many things year over year there is a large number i think somebody would
6:18 am
notice that. >> there are steps that can be put in place in order to reduce the ability to increase the amount of effort that it would take on a trail that can be printed out into voter verified. >> we have time for probably one or two more questions. >> we will be here for a reception afterwards. >> this is the first under the current administration and i was curious if you could give us a sense of how some of this played out. >> there were maybe some discussions in the hallway otherwise i don't think the activities changed. >> there were some people who
6:19 am
were denied a visa to come to the country. there were also some security researchers who chose to stay away. and there were some people that ran part of the offense that just chose to stay away partially for fear of being turned away at the border but also out of protest against what they see as an unfair policy. so i didn't have a huge impact but it did keep several people away. >> other than the travel issues it's not something where we are like the presidential policies are good or bad or whatever.
6:20 am
>> it's interesting to me how in general you will experience more as the policy discussion than i did but even what was discussed in terms of policy there was very little to no politics which was so refreshing. i will take your question because i know you've been waiting and then one last one from wendy. >> i'm just a citizen interested in this issue. there seems to be a consensus on the panel that new products coming on line in the internet of things are simply repeating the failures that occurred in protective software that was written many years ago. this seems to be in the area of policy would be useful and i'm surprised that it wasn't phrased
6:21 am
as one of the suggestions and then secondarily come as a citizen thinking about all the products that are out there for the potential purpose, what should the average person know about how secure they are. >> they should listen to my podcast. we talk all about that. >> we've done a lot here at the atlantic council on that. public policy is, there is some action that can be taken by the public that doesn't get in the way of innovation which is what everybody is afraid of but that preserves confidence and trust in the markets to be able to grow in a sustainable way and avoid any kind of a catastrophic impact that might hit gdp, national security, trust in government and those kind of things. there's not enough time left on the panel to have a conversation
6:22 am
about that but we can send out some links or something like that on the work that we've done. >> i brought one of my badges with me. they are a really big part of hacking at the conference and reflects on the diy and i wondered if you could share some of that and talk about how that informs the culture at the top. >> i'm glad you asked. i went overboard this year getting the badges especially in electronic are things that are used to be hacked. the little puzzles and easter eggs and cool things if you are sticking around you can see some of these. >> at the beginning there were regular paper badges like
6:23 am
everyone else but with hackers they went to kinko's and copied them into so it's become a constant battle between the organizers and the people that come to get in for free. so finally -- >> that's how it originally started. >> that'll badges and different colors people would spray paint them. now it is circuit boards usually civility with each badge or you can hidden messages in the code or whatnot. with that, now the organization has created their own badges for the villages where they create a badge to have one and give it away. so this was a big thing this year. for contests, the people running the event. this is for speakers, but then
6:24 am
there were also some custom badges. so they had a specific badges and this is another one from the privacy village which is pretty cool. it's got a radio antenna you can pick up signals. there is one for the village which is actually a live culture so you can grow your own yeast and use it in bread and beer. word has it one of the spell of someone's badge and it was full of white powder. [laughter] thathen there were other unaffiliated badges where they saw people running around selling them and announcing it on twitter site might be like a food truck but here's where people will rush to it. this one is the vendor badge and
6:25 am
click hunter s. thompson crossed with so they've got some cool stuff on it you can play where you try to hack up the debate to other people with bluetooth which is fun except i wasn't very good so i kept getting hacked. this is one of the legendary mr. robot matches which i got in a raffle but this one got shot down pretty quickly. the creators of mr. robot were not involved in the badge creation and so there was a copyright and trademark issue. >> to provide some comparison, those are the badges. the -- i brought the two that i have because i had a feeling this would come up. at the las vegas badge was a poker chip with at&t on it.
6:26 am
the black badge was a piece of paper with a little ribbon. but speaking of mr. robot, i did get to hang out with christian slater, so that was pretty neat. >> you've got some really cool badges and usually when it's electronic stun. >> things you all so much for coming. i know we will be unavailable for the panel after. thanks much. thank you guys. [applause] residents.
6:27 am
6:28 am
6:29 am
>> the committee will come to order. i want to welcome everybody to today's hearing entitled america's affordable housing crisis, challenges and solutions. this is an important issue in this hearing will allow the committee to hear from experienced and well-educated witnesses that can provide more


info Stream Only

Uploaded by TV Archive on